@daddygo
We use a starface phone-system and every soft-client uses 5060.
And also starface itself uses 5060 to connect to our sip-providers through the internet.

Anyone for help?

Thank you

I finally cracked it. In order for the settings for the frontend to work, a matching SNI filter was needed so that the crt-list would kick in. Settings for the sub-frontend for client side certs were ignored without the SNI match.

@kom
Works fine!!
I had made the import without specifying in which store.
tks

Hi all,

Regular expression in the squidguard is also not working. I tried to make several blocks including using: \.facebook.com and even then it does not block. It only works when I put it in the domains box.

@rle,  I'll definitely look more into RADIUS.

I guess I forgot to mention the fact that I have HAproxy up and running, but it's currently only working for HTTP and HTTPS on ports 80 and 443, respectively. I'm also already running Snort with the paid rules set. I understand Suricata is somewhat better with Layer 7 app detection. Specifically, it can identify HTTP and SSH traffic on non-standard ports, which would likely be more beneficial in this use case now that you mention it.

Trust me, I'm the same way! I'm learning as I go here! :-)

@piba see also https://github.com/pfsense/FreeBSD-ports/pull/1066

@memphis2k

Anybody? Is this not possible? Just looking for some thoughts

@mcury
Thanks for the reply, so got it working, i used the pf2ad script
but on ldap for squidguard how to add a group with a space the group is called domain users

ldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))

@johnpoz

I am using the non-devel haproxy 0.61_1, so that is probably the difference. I'd imagine these changes in devel will eventually make it to the non-devel version?

It seems like I could tweak this further without upgrading the haproxy package to devel so I'm going to keep it on the stable release for now, but it is good to know it might be easier in the future. I looked all over today and kept getting back to this post.

In the "Actions" table, look for the "Condition acl names" column. You can enter one or more ACL names for any action, separated by spaces. If you enter more than one ACL name for an action, ALL ACLs must match for the action to occur (ANDed conditions).

@viragomann said in HAproxy exposing only pfSense’ ip address at hosts log:

@gschmidt
You can run HAproxy in transparent reverse mode. It can be enabled in the backend advanced settings.

Thanx, I will have a look at it!

Update: sadly not an option, I also want to access the domotica web app inside my network (I have only one subnet)...

I will ask first at the Domoticz forum if it is possible to retrieve the ip address from the header with a script...thanx

I already figured it out.

Changed 2 options in my Cloudflare account

b530eb2a-a2e9-4ec9-87eb-620378256273-image.png

Under SSL/TLS menu:
Overview
Default setting was Flexible, but needs to be Full(Strict)

Edge Certificates
I had checked "Always use HTTPS" to ON....but needs to be OFF

Thats it...I think it was the HTPPS trick...because in HAproxy I use SSL Offloading and HTTP to access the Host